I have two machines running windows OS with IIS and window OS with MS SQL. In the production web.config file I configure the IIS to use a user name and password when connecting to the DB and then I encrypt it with a key using RSA. The key will be generated using aspnet_regiis and exported into all IIS Machines. Each production server holds only the encrypted web.config file (and an imported key in the secured in the IIS).

The other approach will be to define in the web.config a connection using windows authentication. This will be a lot less work on my side.

2 Answers
2

Generic rule: by playing fewer games with cryptography, you reduce the risks of doing mistakes. In cryptography, "less" means "best".

In this specific case, you will want your machine to be able to reboot in an unattended fashion (e.g. after a power cut in the wee hours of the night). So what your machine contains is enough to access the database, and is protected only by the intrinsic security layer of the OS. Whoever can get administrative access to your servers will be able to grab the data from the database, regardless of whether you made a complicated ritual dance with RSA keys, or just used Windows authentication.

Since it makes no actual difference for security, then you might as well choose the simple strategy of using Windows authentication. Bonus: you cannot be blamed for breakage when you follow Microsoft's rules.

There isn't really enough information here to answer that. If you have a secure means of key storage (such as a good TPM (Trusted Platform Module) or an HSM (Hardware Security Module) that can store keys in hardware, then having an encrypted config file would be more secure than having the authentication in the clear.

That said, the information necessary to break either system is present on the computer since IIS can access it. If an attacker has sufficient control of the system, neither system will help you that much since they can masquerade as IIS and submit the decryption.

Honestly, I think the Windows Authentication setup properly would be ok, but I would do it by having the site run as a particular user. Then only give that user permission to connect to the DB. For an attacker to breach the system, they would need to gain access to an account that has access to the credentials of the service account (at which point they would have control of the application either way) and if they have control of the application, getting the key isn't going to be that hard.

I don't know of any more elaborate ways to add security to the setup, though someone else may have a better idea than I do.